Keeping Patient Information
                    HIPAA is…….

   A Federal law called the Health
    Insurance Portability and
    Accountability Act of 1996
   One part of HIPAA is the Privacy
   The main purpose of the HIPAA
    Privacy Rule is to provide better
    protections for patients’ protected
    health information (PHI).
              PROTECTED HEALTH
              INFORMATION (PHI)
   Covers patient information in any form --
    written, verbal, or electronic
   PHI Includes:
       Any information that can be used to identify the
        patient, for example, name, address, social security
        number, medical record number, telephone number,
        patient account number
       Anything about the patient’s medical conditions and
        treatment – past, present, or possible
       Billing and payment records
         Before You Access Patient
         Information, Ask Yourself
1.   Is the patient information I am about
     to access necessary for me to
     complete my job?
2.   Am I accessing only the minimum
     necessary to complete my job, no
     more and no less?
3.   Am I accessing, using, or disclosing
     this information for treatment,
     payment, or health care operations
4.   If I am accessing, using, or disclosing
     this information, should I have a
     signed authorization from the patient?
When is it Okay to Share PHI?
   Share only the minimum amount of
    PHI necessary to fulfill the job
   Share PHI only with those with a
    clinical or business need to know
   Share only the amount of PHI
    requested. The entire medical
    record may not be needed.
          Examples of Minimum
   A billing clerk may need to know what laboratory
    test was done, but not the result

   An admissions clerk does not need to have
    access to the full medical record in order to
    carry out his/her job

   A patient transporter typically does not need to
    access the full medical record to do his/her job
    Snooping and Casual
Disregard…our Greatest Risk
                   Accessing the medical
                    records of family members,
                    friends, ex-spouses,
                    neighbors, celebrities, etc.
                   Failure to verify the
                    authority of the individual
                    receiving the PHI
                   Improper use of technology
                    such as camera phones,
                    texting, and social
                    networking sites
                   Employees exceeding their
                    scope of job duty
             Are You a Criminal?
   Choosing not to comply with HIPAA could
    result in civil and criminal penalties, including
    going to jail
   If you obtain or disclose PHI without proper
    authority, you may face a fine of up to
    $50,000 and up to one year of jail time
   If you obtain PHI with the intent to sell it,
    give it to someone else, or for malicious
    reasons, you could receive a $250,000 fine
    and up to 10 years in jail
    What is the Difference Between
     Use and Disclosure of PHI?

   USE is sharing PHI within the facility

   DISCLOSURE is sharing PHI outside of
    the facility
                What is a Breach
   Breach means the unauthorized acquisition, access,
    use, or disclosure of PHI maintained by or on behalf of
    a person.
   A breach does not include any unintentional acquisition,
    access, use or disclosure made in good faith and done
    within the course and scope of your job. And, provided
    such information is not further acquired, accessed, used
    or disclosed.
   In other words, just looking up someone’s PHI, even if
    you don’t print it or tell someone else, is a breach – and
    you will be subject to disciplinary action up to and
    including termination.
    Incidental Uses & Disclosures

An incidental use or disclosure is not a violation of
  HIPAA provided the facility has applied
  reasonable safeguards and implemented the
  minimum necessary standard.

Examples of incidental uses and disclosures:
 Discussions during teaching rounds
 Calling out a patient’s name in the waiting room
 Sign in sheets in hospitals and clinics containing
  the minimum information necessary
     Protecting Patient Privacy
 Close curtains and speak softly when discussing
  treatments in semi-private rooms
 Log off of the computer when not attended
 Dispose of patient information in accordance
  with hospital policy and procedure
 Clear patient information off of your desk and
  place in a secure location when not in use
 Verify fax numbers and addresses before
  sending PHI
           Protecting Patient Privacy
 Discuss a patient in public areas such as elevators, hallways or cafeterias or
  outside the facility or office

   Share your computer username, ID, or password

   Look at information about a patient unless you need it to do your job

   Take information about patients (including nursing report notes) home

   Discuss patient information in front of visitors without the explicit, documented
    authorization of the patient

   Post any patient related information in church bulletins, Facebook, MySpace, or
    any other social networking websites

   Bring friends or family into areas of the facility, clinic, or agency where they can
    see or hear patients receiving care or where they might have access to PHI
    Sharing PHI with Family & Friends

   The patient must be given the opportunity to
    agree, restrict, or object to providing PHI to
    family members, friends or others identified by
    the patient as involved in the patient’s care or
    payment for health care
   Document the patient’s decision
   Use professional judgment to determine if
    disclosing PHI would be in the patient’s best
    interest if the patient is unable to agree or
             Areas of Concern
   Friends/family/self – when you are seeking
    information on your family, friends or yourself,
    you are not acting as an employee and you must
    access PHI using the procedures required for
    non-employees. This means you need a written
    authorization for release of information which
    can be obtained in HIM
   You are not permitted to access your own
    medical records
              Areas of Concern
   Employees as patients – information available to
    the facility as a healthcare provider is not
    generally available to it in the role of an
    employer. For example, if an employee comes
    into the ED – his/her supervisor or co-workers
    should not be accessing his/her ED information.
   This can be a challenging area: call the Facility
    Privacy Officer if questions arise.
               Areas of Concern

   Before PHI is removed from a facility for
    business purposes by any means,
    electronic or hard copy – the following
    questions must be answered:
       1. Does it need to go outside the facility?
       2. If so, are reasonable safeguards in place
        to protect the data from breach during
    Examples of HIPAA Potential
   Text messaging medical information about a
    patient to anyone!
   An employee passing on information to her son
    about his spouse or their children
   Allowing a former employee, friends, family or
    co-workers into off-limits areas where PHI is
    located – this includes children
   Taking pictures of patients with a cell phone
        Examples of HIPAA Potential

   Releasing information to a caller who is not
    properly identified as being authorized to receive
   Mailing/faxing PHI to the wrong person
   Looking at the PHI of a co-worker, supervisor,
    family, friends, or self for non-work reasons
   Posting information about a patient or specific
    information about a day at your workplace on a
    social networking site such as Facebook
                  No Excuses
   Good intentions such as “I needed to let his
    mother know he was in the hospital,” or, “She is
    my best friend and she wouldn’t mind me
    looking,” do not count.
   Just plain nosiness is NO excuse.
 Reporting Suspected Violations of
        our Privacy Policies

Suspected HIPAA violations should be reported to:
 Your Supervisor
 The Facility Privacy Office
 The Corporate Compliance and Privacy Officer

The Confidential Disclosure Program Hotline may
  also be used by calling 1-800-495-9510


   Compliance with HIPAA is part of our
   Compliance with HIPAA is part of your job
   Noncompliance may result in disciplinary
    action up to and including termination.
   Noncompliance may also result in civil
    and/or criminal penalties.
This Facility Protects Patient Privacy
   Assigning a Facility Privacy Officer
   Having written policies and procedures
    to help employees understand the
    privacy rules
   Providing this privacy training to the
   Putting in place ways to protect health
    information from being misused
   Having a way for patients and others to
    file complaints
   Providing discipline for employees who
    don’t follow the privacy practices
                  What is the Notice
                 of Privacy Practices?
    The Notice of Privacy Practices (sometimes referred to
    as the NPP) is:
   An explanation to our patients of how their personal PHI is
    used and disclosed
   The start of a dialogue with our patients regarding the
    purpose of the uses of information
   An explanation of the patient’s rights as defined by the HIPAA
    Privacy Regulations
   The Notice of Privacy Practices is:
        Available in a paper copy
        On the facility web site
        Posted in facility
         Disclosures with Authorization
   A valid Authorization is required for certain
    disclosures to:
       Attorneys
       Schools
       Others
   Applies to situations where use falls outside of
    treatment, payment and healthcare operations
    and for which there is no exception for the
    authorization requirement
   Only certain staff members are permitted to
    accept and act upon patient authorizations
    Disclosures Not Requiring Patient
   Required by Federal or state law
        Workers compensation
        Birth reporting
        Child abuse or domestic violence reporting
   Required for public health reasons
        Sexually transmitted diseases
        FDA-regulated products
   Required for national security reasons
        Prevent a serious threat of harm to the individual or others

   If in doubt, check with the Facility Privacy Officer
    before disclosing the information.
          Facility Directory Disclosures
   The patient must be given the opportunity to
    opt-out from the directory
   Unless the patient objects, the following PHI
    may be included in the facility directory and
    given to those individuals who inquire about
    the patient by name:
       Name
       Location within the facility
       Condition of the patient in general terms (e.g.,
        good, critical, serious)
       Only members of the clergy may have access to the
        religious affiliation of the patient, if provided
   If the patient has opted out of the patient
    directory no information may be discussed –
    simply say, “I have no information on that
                   Patient Rights
   Under the HIPAA Privacy Regulations, patients
    have the right to:
       Receive the Notice of Privacy Practices
       Inspect and request a copy of their PHI
       Know to whom their information is being disclosed in
        certain situations
       Request restrictions on use and disclosure of their
       Request an amendment to their PHI
       Request confidential communications of their PHI
             Case Study
While working on the fourth floor, Sally
Housekeeper noticed that her neighbor
Penny Patient was walking down the
hall in a hospital gown and pushing an
IV pole. When she went home later that
day, she told her husband that she saw
their neighbor on the cancer unit.

Is this a HIPAA Violation? Why?
               Case Study
Penny Patient is waiting in the outpatient
clinic. Nurse Jones enters the waiting room
and calls out, “Penny Patient.”

While still in the waiting room, Nurse Jones
asks Penny Patient, “Have you been taking
your Prozac for your depression?”

Is this a HIPAA Violation? Why?
                    Case Study
   Nurse Jane sees an employee looking through the
    medical records to find out medical information
    about another employee who is a patient in the
    facility, but Nurse Jane is not one of the caregivers
    for the patient.

What should Nurse Jane do?
                       How do I begin…..?

   Become privacy focused

   Know and follow the HIPAA Privacy Policies and our facility’s
    privacy procedures

   Understand the importance of privacy to our organization and
    our patients – and to keep yourself safe from civil or criminal

   Be sensitive to the patient’s privacy needs and rights

   Keep patient information as private as you would want your own
    information kept
                      To recap………
   The facility is committed to and serious about
    patient privacy
   All complaints regarding patient privacy will be
    taken seriously
   The facility will investigate all privacy complaints
   Employees who violate the HIPAA Privacy Policies
    or any privacy practices and procedures will be
    subject to disciplinary actions which could include
    verbal or written warnings, suspension from
    duties, or termination
   Retaliation against any person for reporting actual
    or suspected violations will not be tolerated
      What can happen if I violate CHS
         Policy or break the law?
   Under recent changes in the law,
    state and federal authorities may
    now hold workforce members
    individually responsible for their
   Fines ranging from $50,000 per
    violation to as much as $250,000
   Criminal prosecution and up to 10
    years in jail may occur depending
    on the type of violation
   Civil suits by state Attorneys
    General against the facility
   Violation of CHS policy will result
    in appropriate disciplinary action
    up to and including termination
    Notable Enforcement Action…
       Fernando Ferrer, Jr. and Isis Machado
          Machado, an employee at Cleveland Clinic uses her computer
           access to obtain PHI which was then sold to her cousin –
           Fernando Ferrer.
          Ferror used the stolen PHI to submit fraudulent claims in
           excess of $7 Million.
          Charged with
          1.   Computer Fraud
          2.   Conspiracy to commit identity theft
          3.   Conspiracy to wrongfully disclose IHHI (HIPAA)
          Ferrer – 87 months prison, 3 yrs supervised release,
           restitution $2,505,883.43.
          Machado – 3 yrs prison, 6 months home confinement, same
    A Case of Identity Theft…NOT!
   Trumann, Northeast Arkansas:
       After entering a guilty plea to a criminal HIPAA
        violation, a nurse faces up to 10 years in prison and a
        possible fine of $250,000.00!
       This was not a case of identity theft or stolen financial
       The information was reportedly disclosed to her
        husband, who threatened to use the information
        against the patient in an upcoming legal proceeding!
   Kaiser Permanente Bellflower Medical Center
    was fined $250,000 for failing to keep workers
    from peeking at “octomom” Nadya Suleman’s
    electronic health records
   23 unauthorized staff and physicians accessed
    the records, including some at other Kaiser
   1 person was fired, 14 others resigned and 8
    were disciplined
          Sentenced to Prison

   A 22-year old woman was sentenced to a
    year in prison for illegally accessing
    another woman’s medical records at her
    place of employment and then posting on
    a MySpace page that the other woman
    had HIV.

   Confidentiality and protecting PHI is
    everyone’s job.
   Privacy Matters. Don’t discuss protected
    healthcare information in public or with
    those who do not need to know.
   Don’t get casual about privacy and

It could be your health
information that someone is
talking about.

To top